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Abstract 

The  aim  of  this  project  is  to  enable  enforcement  of  integrity  safe  in  systems  of  independently-developed  com¬ 
ponents.  In  this  project,  we  explore  this  problem  from  three  perspectives.  First,  we  developed  integrity  safety 
properties  and  mechanisms  to  enforce  them.  In  particular,  we  developed  resource  retrieval  (access)  integrity, 
which  protects  programs  when  retrieving  system  resources,  and  implemented  the  process  firewall  mechanism  to 
enforce  this  property.  Second,  we  developed  integrity  safety  mechanisms  for  a  variety  of  software,  including  web 
browsers  (to  protect  them  from  browser  extensions),  kernel  software  (to  enforce  resource  retrieval  integrity  and 
fine-grained  control-flow  integrity  of  approved  code),  and  user-space  programs  (to  enforce  access  control  poli¬ 
cies).  Third,  we  developed  methods  to  retrofit  software  to  enforce  integrity  safety  properties  mostly-automatically 
through  safety  games  and  authorization  constraints.  Both  of  these  methods  enable  an  efficient  deployment  of  code 
to  enforce  expected  integrity  requirements.  This  work  has  been  published  several  top  conferences  in  computer 
security  and  programming  languages  and  some  of  the  projects  have  been  packaged  for  open-source  distribution. 


1  Overview 

The  aim  of  this  project  was  to  develop  methods  to  improve  the  integrity  safety  of  programs.  That  is,  when  a  program 
performs  a  security-sensitive  operation,  such  as  a  system  call,  an  indirect  control  transfer,  or  an  instruction  that 
modifies  critical  program  data,  can  we  define  and  enforce  properfies  fhaf  profecf  fhe  infegrify  of  fhose  operafions. 

The  feam  of  Dr.  Trenf  Jaeger  (Penn  Sfafe,  PI),  Dr.  Vinod  Ganapafhy  (Rufgers),  and  Somesh  Jha  (Wisconsin, 
Madison)  developed  several  mefhods  fo  enhance  fhe  infegrify  safefy  of  programs.  Firsf,  we  developed  new  principles 
for  enhancing  infegrify  safefy.  We  defined  principles  fo  ensure  fhaf:  (1)  only  approved  kernel  code  is  execufed,  even 
when  fhe  kernel  is  compromised;  (2)  each  sysfem  resource  access  fo  eifher  profecfed  from  adversary  fampering  or 
is  resfricfed  fo  adversary-accessihle  resources;  (3)  fhe  refrofiffing  of  programs  cannof  enable  an  adversary  fo  confrol 
fhe  execufion  of  a  program  in  a  manner  fhaf  would  violafe  a  safely  game  or  a  sef  of  conslrainfs. 

Second,  we  improved  fhe  effecliveness  on  existing  sysfem  and  sysfem  developmenf  mechanisms  hy  applying 
fhe  principles  above  or  improving  fhe  application  of  known  infegrify  safefy  principles.  For  example,  we  exlend  fhe 
fradilional  OS  reference  monitoring  wifh  a  process  firewall  mechanism,  which  is  capable  of  dislincl  securily  policies 
per  each  system  call  fo  profecf  program  infegrify.  This  mechanism  has  been  oplimized  to  provide  syslem-wide  en- 
forcemenl  for  low  overhead  (i4%  over  several  macrobenchmarks).  In  addilion,  we  have  shown  fhaf  known  infegrify 
defenses,  such  as  conlrol-flow  infegrify  and  browser  exlension  confinemenl,  can  be  leveraged  more  effectively  (in  a 
more  aufomaled  way)  to  provide  fighter  securily  (finer-grained  enforcemenl). 

Third,  we  have  applied  infegrify  safely  to  several  types  of  soflware,  including  kernel  soflware,  middleware,  and 
server  programs.  Kernel  soflware  provides  a  foundation  for  infegrify,  and  we  show  fhaf  we  can  bolh  reslricl  kernel 
execufion  fo  approved  code  and  greafly  reslricl  code  reuse  aflacks  on  fhaf  code  (using  fine-grained,  conlrol-flow 
infegrify).  Given  infegrify  protection  of  fhe  kernel,  fhe  process  firewall  kernel  module  can  enforce  infegrify  safely 
over  fhe  relrieval  of  individual  resources  by  each  program  in  fhe  sysfem.  In  addilion,  protections  againsl  browser 
extensions  can  profecf  complex  middleware  programs.  Finally,  informalion  flow  infegrify  profeclions  in  general  can 
be  enforced  by  relrofilling  fhe  program  fo  satisfy  infegrify  conslrainfs,  as  we  have  explored  using  safety  games  and 
conslrainl  systems. 
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Work  on  kernel  integrity,  the  proeess  firewall,  and  automated  teehniques  for  retrofitting  legaey  eode  with  seeurity 
are  of  broad  interest  in  the  researeh  eommunity,  so  we  exploring  how  to  make  sueh  methods  viable  for  eommereial 
purposes.  As  an  initial  step,  we  exploring  the  integration  of  sueh  meehanisms  in  eonventional  kernels,  sueh  as 
Linux,  FreeBSD,  and  Windows,  and  eeosystems,  sueh  as  LLVM  to  enable  open-soureing  of  sueh  meehanisms.  For 
example,  we  have  released  the  proeess  firewall  for  Linux  and  are  planning  fo  release  our  eonlrol-flow  infegrify 
enforeing  FreeBSD  kernel.  In  addifion,  Samsung  has  deployed  a  version  of  a  meehanism  fhaf  resfriefs  kernels  fo 
approved  eode  fhaf  obeys  our  requiremenfs,  as  pari  of  Iheir  Knox  projeel,  and  we  will  likely  eollaborale  wifh  fhem 
in  Ihe  near  fulure.  This  work  has  also  inllueneed  a  new  NSF-funded  projeel  on  relrolifling  legaey  eode  for  multiple 
defenses,  on  whieh  Pis  Jaeger  and  Ganapalhy  parlicipale. 

In  Ihe  remainder  of  Ibis  reporl,  we  review  our  researeh  resulls  deseribing  Ihe  addition  of  infegrify  safely  defenses 
in  kernel  soflware,  middleware,  and  user-spaee  programs,  in  one  seelion  eaeh. 

2  Integrity  Safety  in  Kernel  Software 

We  explored  melhods  fo  improve  infegrify  safely  in  kernel  soflware  from  Iwo  perspeelives.  Firsl,  we  invesligaled  Ihe 
problem  of  proleeling  Ihe  infegrify  of  system  resouree  relrieval.  A  variety  of  vulnerabilities,  sueh  as  link  Iraversal, 
direclory  Iraversal,  file  squalling,  and  file  system  lime-of-eheek-lo-lime-of-use  (TOCTTOU)  allaeks  resull  from 
programs  being  frieked  by  adversaries  fo  relrieval  sysfem  resourees  (e.g.,  files,  IPCs,  ele.)  ehosen  by  Ihe  adversary 
enable  confused  deputy  attacks.  Seeond,  we  investigated  meehanisms  fo  enforee  infegrify  profeelions  on  kernel 
soflware  exeeufion  parfieular  fo  reslriel  code  reuse  attacks,  sueh  as  relurn-orienfed  programming.  We  eurrenlly  Irusl 
kernel  soflware  fo  profeel  ils  infegrify,  bul  a  variety  of  kernel  vulnerabililies  are  motivating  Ihe  need  for  infegrify 
proleelion  meehanisms.  We  developed  melhods  fo  reslriel  kernel  exeeufion  fo  approved  eode  and  reslriel  fhaf  eode 
fo  exeeule  under  Ihe  reslrielions  of  fine-grained,  eonlrol-flow  infegrify. 

2.1  System  Resource  Retrieval  Integrity 

In  Ihe  first  work,  we  investigated  the  hypothesis  that  system  programs  should  only  interaet  with  adversaries  through 
a  small  number  of  program  entry  points,  program  instruetions  that  invoke  system  libraries  to  retrieve  resourees  (e.g., 
unique  invoeations  of  the  open  library  eall  in  eaeh  program).  The  set  of  entry  points  of  a  program  that  are  aeeessible 
to  an  adversary  are  ealled  its  attack  surface.  Experienee  has  shown  that  developers  often  fail  to  defend  these  entry 
points  beeause  they  do  not  loeate  all  the  eode  loeations  where  programs  aeeess  system  resourees  eontrolled  by 
attaekers.  We  developed  a  runtime  analysis  method  to  eompute  program  attaek  surfaees  in  system  deployments, 
whieh  uses  a  novel  approaeh  to  eomputing  program  adversaries  to  determine  whieh  program  entry  points  aeeess 
adversary-eontrolled  resourees.  We  implemented  our  approaeh  as  a  Linux  kernel  meehanism  eapable  of  identifying 
entry  points  for  both  binary  and  interpreted  programs.  Using  this  meehanism,  we  eomputed  the  attaek  surfaees  for  all 
the  programs  in  the  Ubuntu  Linux  10.04  Desktop  distribution  automatieally.  On  examining  loeated  attaek  surfaees, 
we  diseovered  previously  unknown  vulnerabilities  in  an  X  Windows  startup  seript  available  sinee  2006  and  the  GNU 
leeeat  web  browser.  Our  tools  enable  developers  to  find  attaek  surfaees  for  their  programs  quiekly  and  to  produee 
defenses  prior  to  the  emergenee  of  attaeks,  potentially  moving  us  away  from  the  penetrate-and-pateh  rut. 

’’Integrity  Walls:  Finding  Attack  Surfaces  from  Mandatory  Access  Control  Policies,”  Hayawardh  Vi- 
jayakumar,  Guruprasad  Jakka,  Sandra  Rueda,  Joshua  Schiffman,  Trent  Jaeger.  In  Proceedings  of  the  7th 
ACM  Symposium  on  Information,  Computer,  and  Communications  Security  (ASIACCS),  May  2012. 

We  subsequently  found  that  our  meehanism  for  eomputing  attaek  surfaees  eould  be  used  to  test  whether  programs 
were  vulnerable  to  resource  retrieval  attacks.  A  resouree  retrieval  attaek  ean  oeeur  when  a  program  resolves  a 
system  resouree  name  (e.g.,  file  path)  into  a  resouree  referenee.  The  proeess  of  name  resolution  is  fundamental  to 
eomputer  seienee,  but  its  use  has  resulted  in  several  elasses  of  vulnerabilities.  These  vulnerabilities  are  diffieult  for 
programmers  to  eliminate  beeause  their  eause  is  external  to  the  program:  the  adversary  ehanges  namespaee  bindings 
in  the  system  to  redireet  vietim  programs  to  a  resouree  of  the  adversarys  ehoosing.  Researehers  have  also  found  that 
these  attaeks  are  very  diffieult  to  prevent  systematieally.  Any  sueeessful  defense  must  have  both  knowledge  about 
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the  system  namespaee  and  the  program  intent  to  eradieate  sueh  attaeks.  As  a  result,  finding  and  fixing  program 
vulnerabilifies  fo  sueh  as  affaeks  is  our  besf  defense.  We  developed  fhe  STING  fesf  engine,  whieh  finds  name 
resolution  vulnerabilifies  in  programs  by  performing  a  dynamie  analysis  of  name  resolufion  proeessing  fo  produee 
direcfed  fesf  eases  whenever  an  affaek  may  be  possible.  The  key  insighf  is  fhaf  sueh  name  resolution  affaeks  are 
possible  whenever  an  adversary  has  wrife  aeeess  fo  a  direefory  shared  wifh  fhe  viefim,  so  STING  aufomalieally 
identifies  when  sueh  direefories  will  be  aeeessed  in  name  resolution  fo  produee  fesf  eases  fhaf  are  likely  fo  indicafe 
a  frue  vulnerabilify  if  undefended.  Using  STING,  we  found  21  previously- unknown  vulnerabilities  in  a  variefy 
of  Linux  programs  on  Ubunfu  and  Fedora  sysfems,  demonsfrafing  fhaf  comprehensive  fesfing  for  name  resolution 
vulnerabilifies  is  pracfical. 

’’STING:  Finding  Name  Resolution  Vulnerabilities  in  Programs,”  Hayawardh  Vijayakumar,  Joshua  Schiff- 
man,  Trent  Jaeger.  In  Proceedings  of  the  21st  USENIX  Security  Symposium,  August  2012, 

We  then  began  to  focus  on  methods  to  protect  programs  from  resource  retrieval  attacks.  We  first  explored 
whether  we  could  infer  security  policies  that  would  block  such  attacks  using  properties  of  the  resources  themselves. 
We  developed  a  dynamic  analysis  that  collected  whether  adversaries  of  the  program  (defined  using  the  ASIACCS 
2012  adversary  model)  could  modified  tiles  retrieved  at  each  program  entrypoint.  We  found  that,  by  using  this 
approach  for  Ubuntu  12.04,  98.5%  of  accesses  can  be  restricted  to  prevent  typical  name  resolution  attacks  and  more 
than  65%  of  accesses  can  be  restricted  to  a  single  tile  without  creating  false  positives.  We  also  examined  three 
programs  (Apache,  MySQL,  and  PHP)  in  detail  to  evaluate  the  efficacy  of  using  the  provided  package  test  suites  to 
generate  policies,  finding  that  administrators  can  produce  effective  policies  automatically. 

’’The  right  files  and  the  right  time,”  Hayawardh  Vijayakumar  and  Trent  Jaeger.  In  Proceedings  of  the  5th 
Symposium  on  Configuration  Analytics  and  Automation  (SafeConfig),  October  2012. 

We  next  developed  a  defensive  mechanism  to  prevent  adversaries  from  exploiting  program  vulnerabilities  during 
resource  retrieval,  which  we  call  a  process  firewall.  The  process  firewall  is  a  kernel  mechanism  that  protects  each 
system  call  of  a  process  by  introspecting  into  the  current  process  state  (e.g.,  call  stack)  and  the  OS’s  tile  system 
state  to  prevent  processes  from  retrieving  resources  that  violate  integrity  rules  for  the  process  and  OS  states.  The 
key  insight  is  that  the  process  firewall  only  protects  processes  rather  than  confining  them  so  it  can  examine  their 
internal  state  to  identify  the  protection  rules  necessary  to  block  many  of  these  attacks  without  the  need  for  program 
modification  or  user  configuration.  We  built  a  prototype  process  firewall  for  Linux,  demonstrating:  (1)  the  preven¬ 
tion  of  several  vulnerabilities,  including  two  that  were  previously-unknown;  (2)  that  this  defense  can  be  provided 
system-wide  for  less  than  4%  overhead  in  a  variety  of  macrobenchmarks;  and  (3)  that  it  can  also  improve  program 
performance,  shown  by  Apache  handling  3-8%  more  requests  when  program  resource  access  checks  are  replaced 
by  process  firewall  rules.  These  results  show  that  it  is  practical  for  the  operating  system  to  protect  processes  by 
preventing  a  variety  of  resource  access  attacks  system-wide. 

’’Process  Firewalls:  Protecting  Processes  During  Resource  Access,”  Hayawardh  Vijayakumar,  Joshua 
SchifTman,  Trent  Jaeger.  In  Proceedings  of  the  2013  ACM  European  Conference  on  Computer  Systems  (Eu- 
roSys),  April  2013. 

We  then  explored  the  policy  model  underlying  the  process  firewall  approach.  This  resultant  policy  model  high¬ 
lighted  two  contributions:  (1)  the  explicit  definition  of  adversary  models  as  adversarial  roles,  which  list  the  permis¬ 
sions  that  dictate  whether  one  subject  is  an  adversary  of  another,  and  (2)  the  application  of  data-flow  to  determine  the 
adversary  control  of  the  names  used  to  retrieve  resources.  An  evaluation  using  multiple  adversary  models  shows  that 
data-flow  is  necessary  to  authorize  resource  retrieval  in  over  90%  of  the  system  call  instances.  By  making  adversary 
models  and  the  adversary  accessibility  of  all  aspects  of  resource  retrieval  explicit,  we  can  block  resource  access 
attacks  system-wide. 

’’Policy  Models  to  Protect  Resource  Retrieval,”  Hayawardh  Vijayakumar,  Xinyang  Ge,  Trent  Jaeger.  In 
Proceedings  of  the  19th  ACM  Symposium  on  Access  Control  Models  and  Technologies  (SACMAT),  June  2014. 

A  downside  of  the  previous  work  is  that  data-flow  can  be  difficult  to  compute  accurately  in  a  non-type-safe 
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language,  such  as  C.  As  a  result,  we  then  explored  the  principles  that  determine  when  a  resource  retrieval  is  unsafe. 
Critically,  we  developed  a  comprehensive  defense  against  vulnerabilities  during  resource  retrieval  in  this  paper. 
First,  we  identify  that  the  fundamental  reason  that  resource  retrieval  vulnerabilities  exist  is  a  mismatch  between 
programmer  expectations  and  the  actual  environment  the  program  runs  in.  To  address  such  mismatches,  we  pro¬ 
pose  JIGSAW,  a  system  that  can  automatically  derive  programmer  expecta-  tions  and  enforce  it  on  the  deployment. 
JIGSAW  constructs  programmer  expectations  as  a  name  flow  graph,  which  represents  the  data  flows  from  the  inputs 
used  to  construct  file  pathnames  to  the  retrieval  of  system  resources  using  those  pathnames.  We  find  that  whether  a 
program  makes  any  attempt  to  filter  such  flows  implies  expectations  about  the  threats  the  programmer  expects  dur¬ 
ing  resource  retrieval,  the  enabling  JIGSAW  to  enforce  those  expectations.  We  evaluated  JIGSAW  on  widely-used 
programs  and  found  that  programmers  have  many  implicit  expectations.  These  mismatches  led  us  to  discover  two 
previously-unknown  vulnerabilities  and  a  default  misconfiguration  in  the  Apache  Webserver.  JIGSAW  enforces  pro¬ 
gram  expectations  for  approximately  5%  overhead  for  Apache  webservers,  thus  eliminating  vulnerabilities  during 
resource  retrieval  efficiently  and  in  a  principled  manner. 

’’JIGSAW :  Protecting  resource  access  by  inferring  programmer  expectations,”  Hayawardh  Vijayakumar, 
Xinyang  Ge,  Mathias  Payer,  Trent  Jaeger.  In  Proceedings  of  the  23rd  USENIX  Security  Symposium,  August 
2014. 

These  results  in  this  section  culminated  in  the  Ph.D.  thesis  of  Hayawardh  Vijayakumar,  an  advisee  of  Dr.  Trent 
Jaeger.  Hayawardh  now  works  at  Samsung  Research  America  on  the  security-critical  Knox  project,  which  examines 
use  of  the  ARM  TrustZone  architecture  to  improve  the  security  of  cellphone  systems. 

’’Protecting  Programs  During  Resource  Access,”  Hayawardh  Vijayakumar,  Ph.D.  dissertation,  Penn  State 
University,  May  2014. 


2.2  Kernel  Software  Execution  Integrity 

Computing  systems  now  may  utilize  many  types  of  privileged  software,  such  as  hypervisors,  microkernels  and 
their  user-space  servers,  and/or  conventional  kernels.  We  will  refer  to  this  software  collectively  as  kernel  software. 
Traditionally,  we  trust  kernel  programmers  to  write  code  that  protects  the  integrity  of  their  kernel  software  during  its 
execution.  As  a  result,  kernel  software  lacks  mechanisms  to  protect  its  integrity  during  execution.  However,  we  are 
now  finding  instances  of  malware  that  leverages  kernel  vulnerabilities  to  ’’root”  system  (rather  than  compromising 
provileged  user-space  processes),  so  protecting  the  integrity  of  kernel  software  during  its  execution  is  now  becoming 
necessary.  In  this  project,  we  explored  the  enforcement  of  two  types  of  integrity  properties:  (1)  restricting  kernel 
software  to  only  execute  approved  code  and  (2)  restricting  kernel  software  to  fine-grained  control-flow  integrity. 

First,  current  smartphone  processors  have  hardware  support  for  running  a  protected  environment,  such  as  the 
ARM  TrustZone  extensions,  but  such  hardware  does  not  ensure  that  the  smartphone  operating  sytems  only  run 
approved  code.  In  particular,  a  conventional  operating  system  running  with  TrustZone  still  retains  full  control  of 
memory  management,  which  a  rootkit  can  use  to  reconfigure  memory  management  to  circumvent  W-xor-X  protec¬ 
tions,  enabling  adversaries  to  modify  kernel  code  or  execute  data.  We  develop  a  novel  mechanism  called  SPROBES 
that  enables  introspection  of  operating  systems  running  on  ARM  TrustZone  hardware,  which  can  be  used  to  mediate 
operations  that  could  impact  the  integrity  of  memory  management.  Using  SPROBES,  an  introspection  mechanism 
protected  by  TrustZone  can  instrument  individual  operating  system  instructions  of  its  choice,  receiving  an  unforge- 
able  trap  whenever  any  SPROBE  is  executed.  To  protect  memory  management  (and  the  SPROBES  themselves), 
we  identify  a  set  of  five  invariants  whose  enforcement  is  sufficient  to  restrict  rootkits  to  execute  only  approved, 
SPROBE-injected  kernel  code.  We  implemented  a  proof-of-concept  version  of  SPROBES  for  the  ARM  East  Models 
emulator,  demonstrating  that  in  Einux  kernel  2.6.38,  only  12  SPROBES  are  sufficient  to  enforce  all  five  of  these 
invariants.  With  SPROBES  we  show  that  it  is  possible  to  leverage  the  limited  TrustZone  extensions  to  limit  conven¬ 
tional  kernel  execution  to  approved  code  comprehensively.  This  work  appeared  in  the  Mobile  Security  Technologies 
Workshop  affiliated  with  the  IEEE  Symposium  on  Security  and  Privacy. 

’’SProbes:  Enforcing  Kernel  Code  Integrity  on  the  TrustZone  Architecture,”  Xinyang  Ge,  Hayawardh 
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Vijayakumar,  Trent  Jaeger.  In  Proceedings  of  the  Mobile  Security  Technologies  2014  Workshop  (MoST14), 
in  conjunction  with  the  IEEE  Symposium  on  Security  and  Privacy),  May  2014. 

Second,  even  with  restrictions  to  limit  privileged  kernel  software  to  execute  only  approved  code,  code  reuse 
attacks  are  still  possible.  To  prevent  code  reuse  attacks,  researchers  have  recommended  enforcing  control-flow 
integrity  (CFI).  However,  researchers  have  found  it  difficult  to  produce  fine-grained  confrol  flow  graphs  (CFGs) 
fo  resfricf  adversaries  and  have  expressed  concerns  abouf  enforcing  CFI  efficienlly.  However,  we  have  found  fhaf 
if  is  nol  only  possible  fo  compute  a  fine-grained  CFG  for  kernel  soflware,  buf  we  can  leverage  fhe  fine  CFG  fo 
enforce  CFI  more  efficienlly  fhan  coarse-grained  CFI.  To  compute  a  fine-grained  CFG,  we  find  lhal  kernel  soflware 
programmers  largely  use  funclion  pointers  in  a  reslricled  way  lhal  enables  us  fo  compufe  an  accurafe  CFG  using  a 
sialic  lain!  analysis.  To  enforce  Ibis  CFG  efficienlly,  we  selecl  oplimal  inslrumenlalion  for  each  indirecl  calFrelurn 
site.  We  also  leverage  fhe  facl  lhal  many  indirecl  confrol  Iransfers  only  have  one  largel  in  kernel  soflware. 

We  evaluale  fhe  effecliveness  of  fhe  proposed  fine-grained  CFI  mechanism  fo  kernel  soflware  and  apply  Ihe 
mechanism  comprehensively  lo  FreeBSD,  Ihe  MINIX  microkernel  system,  and  MINIXs  user-space  servers,  on  Intel 
x86  platforms.  We  show  lhal  our  approach  eliminates  over  70%  of  Ihe  indirecl  largels  lhal  are  olherwise  allowed 
by  currenl  fine-grained  CFI  techniques,  while  our  implemenlalion  incurs  1.82%  performance  overhead  on  FreeBSD 
and  0.76%  on  MINIX  on  macrobenchmarks,  and  11.91%/42.03%  (average/maximum)  and  2.02%/5.64%  overhead 
on  microbenchmarks,  respeclively,  which  are  less  overheads  lhan  a  comparable  coarse-grained  CFI  implemenlalion. 
As  a  resull,  we  find  lhal  fine-grained  CFI  can  be  praclical  and  efficienl  for  crilical  kernel  soflware. 

’’Fine-Grained  Control-Flow  Integrity  for  Kernel  Software,”  Xinyang  Ge,  Mathias  Payer,  Trent  Jaeger. 
Penn  State  Institute  of  Networking  and  Security  Research  Technical  Report,  NAS-TR-0183-2015,  May  2015. 


3  Integrity  Safety  in  Middleware 

We  also  focused  on  the  integrity  of  the  use  of  extensible  Web  browsers.  Most  browsers  support  an  extensible 
architecture,  in  which  code  written  by  untrusted  third  parties  enhances  the  core  functionality  of  the  browser.  This 
code  is  privileged,  and  can  access  most  of  the  sensitive  state  stored  in  the  browser,  such  as  cookies,  browsing  history, 
and  the  contents  of  individual  web  pages  loaded  by  the  browser.  Extension  code  is  not  sandboxed  in  the  same  way 
as  web  application  code,  using  the  same-origin  policy. 

To  address  such  threats,  modern  Web  browsers  have  actively  sought  to  apply  security  principles  to  the  design 
of  extension  code.  The  Mozilla  Jetpack  project  and  the  Chrome  extensions  project  aim  to  build  a  programming 
interface  and  the  supporting  infrastructure  that  will  allow  better  control  over  the  execution  of  untrusted  third-party 
extension  code.  In  particular,  the  projects  aim  to  enforce  the  principles  of  least  privilege  and  privilege  separation, 
and  attempt  to  compartmentalize  extension  code  so  as  to  limit  the  impact  of  exploits  against  vulnerable  extensions. 

This  part  of  the  project  had  two  main  goals.  The  first  goal  was  to  evaluate  the  extent  to  which  modern  extension 
architectures  achieve  their  security  goals.  Specifically,  we  used  static  analysis  to  study  capability  leaks  in  Jetpack 
modules  and  add-ons,  i.e.,  cases  where  code  violates  modularity  by  leaking  a  pointer  to  a  privileged  resource  to 
another  module.  We  implemented  Beacon,  a  static  analysis  tool  to  identify  the  leaks  and  used  it  to  analyze  77  core 
modules  from  the  Jetpack  framework  and  another  359  Jetpack  add-ons.  In  total.  Beacon  analyzed  over  600  Jetpack 
modules  and  detected  12  capability  leaks  in  4  core  modules  and  another  24  capability  leaks  in  7  Jetpack  add-ons. 
Beacon  also  detected  10  over-privileged  core  modules.  We  shared  the  details  with  Mozilla’s  development  team,  who 
have  acknowledged  our  findings.  These  results  were  published  in  our  paper  at  ECOOP’  12: 

”An  Analysis  of  the  Mozilla  Jetpack  Extension  Framework,”  Rezwana  Karim,  Mohan  Dhawan,  Vinod 
Ganapathy,  Chung-chieh  Shan,  Proceedings  of  the  26th  European  Conference  on  Object-Oriented  Program¬ 
ming  (ECOOP  2012).  Published  as  Volume  7313  of  Lecture  Notes  in  Computer  Science  (LNCS),  pages  333- 
355;  Beijing,  China;  June  11-16,  2012. 

Having  characterized  the  security  of  extension  frameworks,  our  second  goal  was  to  tool  to  systematically  port 
legacy  browser  extensions  to  these  modern  frameworks.  Specifically,  we  built  Morpheus,  a  tool  that  retargets  legacy 
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extensions  for  the  Mozilla  Firefox  browser,  and  ports  them  to  the  Jetpaek  framework.  Morpheus  uses  statie  Javaseript 
analysis  and  transformation  to  automatieally  eompartmentalize  legaey  browser  extensions  and  make  them  modular. 
In  our  experimental  evaluation,  we  have  applied  Morpheus  to  port  52  legaey  Firefox  extensions  to  the  Jetpaek 
framework.  The  results  of  this  work  were  published  in  our  paper  at  ECOOP’  14: 

’’Retargetting  Legacy  Browser  Extensions  to  Modern  Extension  Frameworks,”  Rezwana  Karim,  Mohan 
Dhawan,  Vinod  Ganapathy,  Proceedings  of  the  28th  European  Conference  on  Object-Oriented  Programming 
(ECOOP  2014).  Published  as  Volume  8586  of  Lecture  Notes  in  Computer  Science  (LNCS),  pages  463-488; 
Uppasala,  Sweden;  July  28-August  1,  2014. 


4  Integrity  Safety  in  Programs 

Researchers  have  shown  that  the  addition  of  security  mechanisms  can  have  significant  positive  impact  on  protecting 
the  integrity  of  programs  and  the  data  that  they  process.  For  example,  reference  validation  mechanisms  that  satisfy 
the  reference  monitor  concept  can  ensure  that  the  program  protects  data  integrity.  The  challenge  is  for  programmers 
to  extend  their  programs  with  such  mechanisms  correctly.  However,  adding  such  mechanisms  manually  is  a  complex 
and  error-prone  task,  taking  several  years  and  leading  to  new  vulnerabilities.  In  this  part  of  the  project,  we  have 
explored  mostly-automated  mechanisms  to  retrofit  legacy  programs  with  security  code  to  protect  data  integrity. 

First,  several  recent  operating  systems  provide  system  calls  that  allow  an  application  to  explicitly  manage  the 
privileges  of  modules  with  which  the  application  interacts.  Such  privilege-aware  operating  systems  allow  a  pro¬ 
grammer  to  a  write  a  program  that  satisfies  a  sfrong  securify  policy,  even  when  if  inferacfs  wifh  unfrusfed  modules. 
However,  if  is  offen  non-frivial  fo  rewrife  a  program  fo  correcfly  use  fhe  sysfem  calls  fo  salisfy  a  high-level  securify 
policy.  This  paper  concerns  fhe  policy-weaving  problem,  which  is  fo  fake  as  inpuf  a  program,  a  desired  high-level 
policy  for  fhe  program,  and  a  descripfion  of  how  sysfem  calls  affecl  privilege,  and  aufomafically  rewrife  fhe  program 
fo  invoke  fhe  sysfem  calls  so  fhaf  if  satisfies  fhe  policy.  We  presenf  an  algorifhm  fhaf  solves  fhe  policy-weaving 
problem  by  reducing  if  fo  finding  a  winning  modular  sfrafegy  fo  a  visibly  pushdown  safely  game,  and  applies  a 
novel  game-solving  algorifhm  fo  fhe  resulling  game.  Our  experimenfs  demonslrale  fhaf  our  algorifhm  can  efficienlly 
rewrife  practical  programs  for  a  practical  privilege-aware  sysfem. 

’’Secure  Programming  via  Visibly  Pushdown  Safety  Games,”  William  R.  Harris,  Somesh  Jha,  Thomas  W. 
Reps.  In  Proceedings  of  Computer  Aided  Verification  (CAV),  pgs.  581-598,  July  2012. 

Second,  we  explored  a  mostly-automated  approach  to  augment  servers  that  manage  resources  on  behalf  of  mul¬ 
tiple,  mutually-distrusting  clients  to  mediate  access  to  those  resources  to  ensure  that  each  client  request  complies 
with  an  authorization  policy.  This  goal  is  typically  achieved  by  placing  authorization  hooks  at  appropriate  locations 
in  server  code.  The  goal  of  authorization  hook  placement  is  to  completely  mediate  all  security- sensitive  operations 
on  shared  resources.  We  proposed  an  automated  hook  placement  approach  that  is  motivated  by  a  novel  observation 
that  the  deliberate  choices  made  by  clients  for  objects  from  server  collections  and  for  processing  those  objects  must 
all  be  authorized.  We  have  built  a  tool  that  uses  this  observation  to  statically  analyze  the  server  source.  Using  real- 
world  examples  (the  X  server  and  postgresql),  we  show  that  the  hooks  placed  by  our  method  are  just  as  effective  as 
hooks  that  were  manually  placed  over  the  course  of  years  while  greatly  reducing  the  burden  on  programmers. 

’’Leveraging  ‘Choice’  to  Automate  Authorization  Hook  Placement,”  Divya  Muthukumaran,  Trent  Jaeger, 
Vinod  Ganapathy.  In  Proceedings  of  ACM  Conference  on  Computer  and  Communications  Security  (CCS), 
October  2012. 

We  developed  a  mostly-automated  method  to  transform  a  set  of  commodity  MAC  policies  in  hosts,  programs, 
and  virtualization  platforms  into  a  system-wide  policy  that  proactively  protects  system  integrity,  approximating 
the  Clark-Wilson  integrity  model.  The  method  uses  the  insights  from  the  Clark- Wilson  model,  which  requires 
integrity  verification  of  security-critical  data  and  mediation  at  program  entrypoints,  to  extend  existing  MAC  policies 
with  the  proactive  mediation  necessary  to  protect  system  integrity.  We  demonstrated  the  practicality  of  producing 
Clark-Wilson  policies  for  distributed  systems  on  a  web  application  running  on  virtualized  Ubuntu  SELinux  hosts. 
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where  our  method  finds:  (1)  that  only  27  additional  entrypoint  mediators  are  suftieient  to  mediate  the  threats  of 
remote  adversaries  over  the  entire  distributed  system  and  (2)  and  only  20  additional  loeal  threats  require  mediation 
to  approximate  Clark-Wilson  integrity  eomprehensively.  As  a  result,  available  seeurity  polieies  ean  be  used  as  a 
foundation  for  proaetive  integrity  proteetion  from  both  loeal  and  remote  threats. 

’’Transforming  Commodity  Security  Policies  to  Enforce  Clark-Wilson  Integrity,”  Divya  Muthukumaran, 
Sandra  Rueda,  Nirupama  Talele,  Hayawardh  Vijayakumar,  Trent  Jaeger,  Jason  Teutsch,  Nigel  Edwards.  In 
Proceedings  of  Annual  Computer  Security  Applications  Conference  (ACSAC),  December  2012. 

Next,  we  explored  methods  to  retrofit  programs  for  speeitie  security  enforcement  systems,  such  as  the  Capsicum 
capability  system,  allowing  a  programmer  to  write  an  application  that  satisfies  strong  security  properties  by  invoking 
security- specific  system  calls  at  a  few  key  points  in  the  program.  However,  rewriting  an  application  to  invoke  such 
system  calls  correctly  is  an  error-prone  process:  even  the  Capsicum  developers  have  reported  difficulties  in  rewriting 
programs  to  correctly  invoke  system  calls.  We  developed  a  system  called  capweave,  a  tool  that  takes  as  input  (i) 
an  LLVM  program,  and  (ii)  a  declarative  policy  of  the  possibly-changing  capabilities  that  a  program  must  hold 
during  its  execution,  and  rewrites  the  program  to  use  Capsicum  system  calls  to  enforce  the  policy.  Our  experiments 
demonstrate  that  capweave  can  be  applied  to  rewrite  security-critical  UNIX  utilities  to  satisfy  practical  security 
policies,  capweave  itself  works  quickly,  and  the  runtime  overhead  incurred  in  the  programs  that  capweave  produces 
is  generally  low  for  practical  workloads. 

’’Declarative,  Temporal,  and  Practical  Programming  with  Capabilities,”  William  R.  Harris,  Somesh  Jha, 
Thomas  W.  Reps,  Jonathan  Anderson,  Robert  N.  M.  Watson.  In  Proceedings  of  the  IEEE  Symposium  on 
Security  and  Privacy,  pgs.  18-32,  May  2013. 

Next,  we  explored  the  development  of  an  interactive  program  analysis  that  programmers  can  apply  to  validate 
that  their  manual  optimizations  do  not  change  his  programs  semantics.  Our  analysis  casts  the  problem  of  validating 
an  optimization  as  an  abductive  inference  problem  in  the  context  of  checking  program  equivalence.  Our  analysis 
solves  the  abductive  equivalence  problem  by  interacting  with  the  programmer  so  that  the  programmer  implements 
a  solver  for  a  logical  theory  that  models  library  functions  invoked  by  the  program.  We  have  used  our  analysis  to 
validate  optimizations  of  real-world,  mature  applications:  the  Apache  software  suite,  the  Mozilla  Suite,  and  the 
MySQL  database. 

’’Validating  Library  Usage  Interactively,”  William  R.  Harris,  Guoliang  Jin,  Shan  Lu,  Somesh  Jha.  In 
Proceedings  of  Computer  Aided  Verification  (CAV),  pgs.  796-812,  July  2013. 

We  also  published  an  abstract  summarizing  the  approach  of  game-based  synthesis  for  the  development  of  pro¬ 
grams  that  enforce  integrity  requirements. 

’’Secure  programs  via  game-based  synthesis,”  Somesh  Jha,  Thomas  W.  Reps,  William  R.  Harris.  In  Pro¬ 
ceedings  of  Formal  Methods  in  Computer-Aided  Design,  pgs.  12-13,  October  2013. 

Lastly,  we  explored  algorithms  that  automatically  compute  a  minimal  authorization  hook  placement  that  satis¬ 
fies  constraints  that  describe  desirable  access  control  policies.  These  authorization  constraints  describe  expectations 
about  the  access  control  policies  that  a  program  will  enforce.  Such  constraints  reduce  the  space  of  enforceable  ac¬ 
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